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(57) Abstract: A local content server system (LCS) for creating a secure environment for digital content is disclosed, which system 
comprises: a communications port in communication for connecting the LCS via a network to at least one Secure Electronic Content 
Distributor (SECD), which SECD is capable of storing a plurality of data sets, is capable of receiving a request to transfer at least 
one content data set, and is capable of transmitting the at least one content data set in a secured transmission; a rewritable storage 
medium whereby content received from outside the LCS may be stored and retrieved; a domain processor that imposes rules and 
procedures for content being transferred between the LCS and devices outside the LCS, and a programmable address module which 
can be programmed with an identification code uniquely associated with the LCS. The LCS is provided with rules and procedures for 
accepting and transmitting content data. Optionally, the system may further comprise: an interface to permit the LCS to communicate 
with one or more Satellite Units (SU) which may be connected 
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to the system through the interface, which SUs are capable of receiving and transmitting digital content; at least one SU; and/or 
at least one SECT). The SECD may have a storage device for storing a plurality of data sets, as well as a transaction processor for 
validating the request to purchase and for processing payment for a request to retrieve one of the data sets. The SECD typically 
includes a security module for encrypting or otherwise securitizing data which the SECD may transmit A method for creating a 
secure environment for digital content for a consumer is also disclosed. As part of the method, a LCS requests and receives a digital 
data set that may be encrypted or scrambled. The digital data set may be embedded with at least one robust open watermark, which 
permits the content to be authenticated. The digital data set is preferably embedded with additional watermarks which are generated 
using information about the LCS requesting the copy and/or the SECD which provides the copy. Once received by the LCS, the LCS 
exercises control over the content and only releases the data to authorized users. Generally, the data is not released until the LCS 
embeds at least one additional watermark based upon protected information associated with the LCS and/or information associated 
with me user. 
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A SECURE PERSONAL CONTENT SERVER 
Field of Invention 

The present invention relates to the secure distribution of digitized value- 
added information, or media content, while preserving the ability of publishers to 
5 make available unsecured versions of the same value-added information, or media 
content, without adverse effect to the systems security. 

Authentication, verification and authorization are all handled with a 
combination of cryptographic and steganographic protocols to achieve efficient, 
trusted, secure exchange of digital information. 

10 Cross-Reference To Related Application 

This application is based on and claims the benefit of pending U.S. Patent 
Application Serial No. 60/147,134, filed 08/04/99, entitled, "A Secure Personal 
Content Server" and pending U.S. Patent Application Serial No. 60/213,489, filed 
06/23/2000, entitled "A Secure Personal Content Server." 

15 This application also incorporates by reference the following applications: 

pending U.S. Patent Application Serial No. 08/999,766, filed 7/23/97, entitled 
"Steganographic Method and Device"; pending U.S. Patent Application Serial No. 
08/772,222, filed 12/20/96, entitled "Z-Transform Implementation of Digital 
Watermarks"; pending U.S. Patent Application Serial No. 09/456,319, filed 

20 12/08/99, entitled "Transform Implementation of Digital Watermarks"; pending U.S. 
Patent Application Serial No. 08/674,726, filed 7/2/96, entitled "Exchange 
Mechanisms for Digital Information Packages with Bandwidth Securitization, 
Multichannel Digital Watermarks, and Key Management"; pending U.S. Patent 
Application Serial No. 09/545,589, filed 04/07/2000, entitled "Method and System 

25 for Digital Watermarking"; pending U.S. Patent Application Serial No. 09/046,627, 
filed 3/24/98, entitled "Method for Combining Transfer Function with 
Predetermined Key Creation"; pending U.S. Patent Application Serial No. 
09/053,628, filed 04/02/98, entitled "Multiple Transform Utilization and Application 
for Secure Digital Watermarking"; pending U.S. Patent Application Serial No. 

30 09/281,279, filed 3/30/99, entitled "Optimization Methods for the Insertion, 
Protection, and Detection..."; U.S. Patent Application Serial No.09/594,719, filed 
June 16, 2000, entitled "Utilizing Data Reduction in Steganographic and 
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Cryptographic Systems" (which is a continuation-in-part of PCT application No. 
PCT/US00/06522, filed 14 March 2000, which PCT application claimed priority to 
U.S. Provisional Application No. 60/125,990, filed 24 March 1999); and pending 
U.S. Application No 60/169,274, filed 12/7/99, entitled "Systems, Methods And 
5 Devices For Trusted Transactions." All of the patent applications previously 
identified in this paragraph are hereby incorporated by reference, in their entireties. 
Background of the Invention 

The music industry is at a critical inflection point. Digital technology 
enables anyone to make perfect replica copies of musical recordings from the 
10 comfort of their home, or as in some circumstances, in an offshore factory. Internet 
technology enables anyone to distribute these copies to their friends, or the entire 
world. Indeed, virtually any popular recording is already likely available in the MP3 
format, for free if you know where to look. 

How the industry will respond to these challenges and protect the rights and 
15 livelihoods of copyright owners and managers and has been a matter of increasing 
discussion, both in private industry forums and the public media. Security disasters 
like the cracking of DVD-Video's CSS security system have increased doubt about 
the potential for effective robust security implementations. Meanwhile, the success 
of non-secure initiatives such as portable MP3 players lead many to believe that 
20 these decisions may have already been made. 

Music consumers have grown accustomed to copying their music for their 
own personal use. This fact of life was written into law in the United States via the 
Audio Home Recording Act of 1992. Millions of consumers have CD players and 
purchase music in the Compact Disc format. It is expected to take years for a format 
25 transition away from Red Book CD Audio to reach significant market penetration. 

Hence, a need exists for a new and improved system for protecting digital 
content against unauthorized copying and distribution. 
Summary of the invention 

A local content server system (LCS) for creating a secure environment for 
30 digital content is disclosed, which system comprises: a communications port in 
communication for connecting the LCS via a network to at least one Secure 
Electronic Content Distributor (SECD), which SECD is capable of storing a 
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plurality of data sets, is capable of receiving a request to transfer at least one content 
data set, and is capable of transmitting the at least one content data set in a secured 
transmission; a rewritable storage medium whereby content received from outside 
the LCS may be stored and retrieved; a domain processor that imposes rules and 
5 procedures for content being transferred between the LCS and devices outside the 
LCS; and a programmable address module which can be programmed with an 
identification code uniquely associated with the LCS. The LCS is provided with 
rules and procedures for accepting and transmitting content data. Optionally, the 
system may further comprise: an interface to permit the LCS to communicate with 

1 0 one or more Satellite Units (SU) which may be connected to the system through the 
interface, which SUs are capable of receiving and transmitting digital content; at 
least one SU; and/or at least oneSECD. The SECD may have a storage device for 
storing a plurality of data sets, as well as a transaction processor for validating the 
request to purchase and for processing payment for a request to retrieve one of the 

1 5 data sets. The SECD typically includes a security module for encrypting or 
otherwise securitizing data which the SECD may transmit. 

A method for creating a secure environment for digital content for a 
consumer is also disclosed. As part of the method, a LCS requests and receives a 
digital data set that may be encrypted or scrambled. The digital data set may be 

20 embedded with at least one robust open watermark, which permits the content to be 
authenticated. The digital data set is preferably be embedded with additional 
watermarks which are generated using information about the LCS requesting the 
copy and/or the SECD which provides the copy. Once received by the LCS, the 
LCS exercises control over the content and only releases the data to authorized 

25 users. Generally, the data is not released until the LCS embeds at least one 

additional watermark based upon protected information associated with the LCS 
and/or information associated with the user. 

Another embodiment of the method of the present invention comprises: 
connecting a Satellite Unit to an local content server (LCS), sending a message 

JO indicating that the SU is requesting a copy of a content data set that is stored on the 
LCS, said message including information about the identity of the SU; analyzing the 
message to confirm that the SU is authorized to use the LCS; retrieving a copy of the 
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requested content data set; assessing whether a secured connection exists between 
the LCS and the SU; if a secured connection exists, embedding a watermark into the 
copy of the requested content data set, said watermark being created based upon 
information transmitted by the SU and information about the LCS; and delivering 
5 the content data set to the SU for its use. 

The SU may also request information that is located not on the LCS, but on 
an SECD, in which case, the LCS will request and obtain a copy from the SECD, 
provided the requesting SU is authorized to access the information. 

Digital technology offers economies of scale to value-added data not 

10 possible with physical or tangible media distribution. The ability to digitize 
information both reduces the cost of copying and enables perfect copies. This is an 
advantage and a disadvantage to commercial publishers who must weigh the cost 
reduction against the real threat of unauthorized duplication of their value-added 
data content. Because cost reduction is an important business consideration, 

15 securing payment and authenticating individual copies of digital information (such 
as media content) presents unique opportunities to information service and media 
content providers. The present invention seeks to leverage the benefits of digital 
distribution to consumers and publishers alike, while ensuring the development and 
persistence of trust between all parties, as well as with any third parties involved, 

20 directly or indirectly, in a given transaction. 

In another approach that is related to this goal, there are instances where 
transactions must be allowed to happen after perceptually-based digital information 
can be authenticated. (Perceptually based information is information whose value is 
in large part, based upon its ability to be perceived by a human, and includes for 

25 example, acoustic, psychoacoustic, visual and psychovisual information.) The 
process of authenticating before distributing will become increasingly important for 
areas where the distributed material is related to a trust-requiring transaction event. 
A number of examples exist. These include virtual retailers (for example, an on-line 
music store selling CDs and electronic versions of songs); service providers (for 

30 example, an on-line bank or broker who performs transactions on behalf of a 
consumer); and transaction providers (for example, wholesalers or auction houses). 
These parties have different authentication interests and requirements. By using the 
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teachings of this application, these interests and requirements may be separated and 
then independently quantified by market participants in shorter periods of time. 

All parties in a transaction must authenticate information that is perceptually 
observable before trust between the parties can be established. In today's world, 
5 information (including perceptually rich information) is typically digitized, and as a 
result, can easily be copied and redistributed, negatively impacting buyers, sellers 
and other market participants. Unauthorized redistribution confuses authenticity, 
non-repudiation, limit of ability and other important "transaction events " In a 
networked environment, transactions and interactions occur over a transmission line 

10 or a network, with buyer and seller at different points on the line or network. While 
such electronic transactions have the potential to add value to the underlying 
information being bought and sold (and the potential to reduce the cost of the 
transaction), instantaneous piracy can significantly reduce the value of the 
underlying data, if not wholly destroy it. Even the threat of piracy tends to 

15 undermine the value of the data that might otherwise exist for such an electronic 
transaction. 

Related situations range from the ability to provably establish the "existence" 
of a virtual financial institution to determining the reliability of an "electronic 
stamp." The present invention seeks to improve on the prior art by describing 

20 optimal combinations of cryptographic and steganographic protocols for "trusted" 
verification, confidence and non-repudiation of digitized representations of 
perceptually rich information of the actual seller, vendor or other associated 
institutions which may not be commercial in nature (confidence building with logo's 
such as the SEC, FDIC, Federal Reserve, FBI, etc. apply). To the extent that an 

25 entity plays a role in purchase decisions made by a consumer of goods and services 
relating to data, the present invention has a wide range of beneficial applications. 
One is enabling independent trust based on real world representations that are not 
physically available to a consumer or user. A second is the ability to match 
informational needs between buyers and sellers that may not be universally 

30 appealing or cost effective in given market situations. These include auction models 
based on recognition of the interests or demand of consumers and market 
participants — which make trading profitable by focusing specialized buyers and 
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sellers. Another use for the information matching is to establish limits on the 
liability of such institutions and profit-seeking entities, such as insurance providers 
or credit companies. These vendors lack appropriate tools for determining 
intangible asset risk or even the value of the information being exchanged. By 
5 encouraging separate and distinct "trust" arrangements over an electronic network, 
profitable market-based relationships can result. 

The present invention can make possible efficient and openly accessible 
markets for tradable information. Existing transaction security (including on-line 
credit cards, electronic cash or its equivalents, electronic wallets, electronic tokens, 

10 etc.) which primarily use cryptographic techniques to secure a transmission channel- 
-but are not directly associated or dependent on the information being sold-fails to 
meet this valuable need. The present invention proposes a departure from the prior 
art by separating transactions from authentication in the sale of digitized data. Such 
data may include videos, songs, images, electronic stamps, electronic trademarks, 

15 and electronic logos used to ensure membership in some institutional body whose 
purpose is to assist in a dispute, limit liability and provide indirect guidance to 
consumers and market participants, alike. 

With an increasingly anonymous marketplace, the present invention offers 
invaluable embodiments to accomplish "trusted" transactions in a more flexible, 

20 transparent manner while enabling market participants to negotiate terms and 
conditions. Negotiation may be driven by predetermined usage rules or parameters, 
especially as the information economy offers potentially many competitive 
marketplaces in which to transact, trade or exchange among businesses and 
consumers. As information grows exponentially, flexibility becomes an advantage 

25 to market participants, in that they need to screen, filter and verify information 
before making a transaction decision. Moreover, the accuracy and speed at which 
decisions can be made reliably enables confidence to grow with an aggregate of 
"trusted transactions". "Trusted transactions" beget further "trusted transactions" 
through experience. The present invention also provides for improvements over the 

30 prior art in the ability to utilize different independently important "modules" to 
enable a "trusted transaction" using competitive cryptographic and steganographic 
elements, as well as being able to support a wide variety of perceptually-based 
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media and information formats. The envisioned system is not bound by a 
proprietary means of creating recognition for a good or service, such as that 
embodied in existing closed system. Instead, the flexibility of the present invention 
will enable a greater and more diverse information marketplace. 
5 The present invention is not a "trusted system", per se, but "trusted 

transactions" are enabled, since the same value-added information that is sought 
may still be in the clear, not in a protected storage area or closed, rule-based 
"inaccessible virtual environment". 

A related additional set of embodiments regards the further separation of the 

10 transaction and the consumer's identification versus the identification of the 
transaction only. This is accomplished through separated "trusted transactions" 
bound by authentication, verification and authorization in a transparent manner. 
With these embodiments, consumer and vendor privacy could be incorporated. More 
sophisticated relationships are anticipated between parties, who can mix information 

15 about their physical goods and services with a transparent means for consumers, 
who may not be known to the seller, who choose not to confide in an inherently 
closed "trusted system" or provide additional personal information or purchasing 
information (in the form of a credit card or other electronic payment system), in 
advance of an actual purchase decision or ability to observe (audibly or visibly) the 

20 content in the clear. This dynamic is inconsistent with the prior art's emphasis on 
access control, not transparent access to value-added information (in the form or 
goods or services), that can be transacted on an electronic or otherwise anonymous 
exchange. 

These embodiments may include decisions about availability of a particular 
25 good or service through electronic means, such as the Internet, or means that can be 
modularized to conduct a transaction based on interconnection of various users (such 
as WebTV, a Nintendo or Sony game console with network abilities, cellular phone, 
PalmPilot, etc.). These embodiments may additionally be implemented in traditional 
auction types (including Dutch auctions). Consumers may view their anonymous 
30 marketplace transactions very differently because of a lack of physical human 
interactions, but the present invention can enable realistic transactions to occur by 
maintaining open access and offering strict authentication and verification of the 
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information being traded. This has the effect of allowing legacy relationships, 
legacy information, and legacy business models to be offered in a manner which 
more closely reflects many observable transactions in the physical world. The 
tremendous benefits to sellers and consumers is obvious; existing transactions need 
5 not reduce their expectations of security. As well, the ability to isolate and quantify 
aspects of a transaction by module potentially allows for better price determinations 
of intangible asset insurance, transaction costs, advertising costs, liability, etc. which 
have physical world precedent. 

It is contemplated that the publisher and/or owner of the copyrights will want 

10 to dictate restrictions on the ability of the purchaser to use the data being sold. Such 
restrictions can be implemented through the present invention, which presents a 
significant advantage over the prior art (which attempts to effect security through 
access control and attempted tight reigns over distribution). See US Pat. No. 
5,428,606 for a discussion on democratizing digital information exchange between 

15 publishers and subscribers of said information. 

A goal for providers of value-added content is to maximize profits for the 
sale of their content. Marketing and promotion of the informational content cannot 
be eliminated, considering the ever increasing amount of information vying for 
consumers and other market participant's attention. Nonetheless, in a market where 

20 the goods are speculatively valued, marketing budgets are inherently constrained, as 
you are trying to create demand for a product with little inherent value. Where such 
markets have participants, both buyers and sellers and their respective agents, with 
access to the same information in real time, market mechanisms efficiently price the 
market goods or services. These markets are characterized by "price 

25 commoditization" so buyers and sellers are limited to differentiating their offerings 
by selection and service. If the markets are about information itself, it has proven 
more difficult to accurately forecast the target price where sellers can maximize their 
profits. Quality and quantity provide different evaluation criteria of selection and 
service relating to the information being traded. The present invention regards a 

30 particular set of implementations of value-added content security in markets which 
may include unsecured and secure versions of the same value-added data (such as 
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songs, video, research, pictures, electronic logos, electronic trademarks, value-added 
information, etc.). 

Transactions for value-added information can occur without any physical 
location. So, there is a need for a secure personal content server for which the value 
5 added information can be offered for transactions in a manner similar to real world 
transactions. One feature is to offer seemingly similar value added information in 
differing quality settings. These settings have logical relationships with fidelity and 
discreteness and are determined by market participants. Another, issue is that 
because purchasers may be anonymous to sellers, it is more important to have a 

10 particular value-added information object available so that market participants can 
fulfill their role are consumers. 

One fundamental weakness of current information markets is the lack of 
mechanisms to ensure that buyers and sellers can reach pricing equilibrium. This 
deficit is related to the "speculative" , "fashion", and "vanity" aspects of perceptual 

1 5 content (such as music, video, and art or some future recognition to purchasers). For 
other goods and services being marketed to an anonymous marketplace, market 
participants may never see (and indeed, may choose to never see, an actual location 
where the transaction may physically occur. A physical location may simply not 
exist. There are a number of such virtual operations in business today, which would 

20 benefit from the improvements offered under the present system. 

The present invention also seeks to provide improvements to the art in 
enabling a realistic model for building trust between parties (or their agents) not in a 
"system", per se. Because prior art systems lack any inherent ability to allow for 
information to flow freely to enable buyers and sellers to react to changing market 

25 conditions. The present invention can co-exist with these "trusted systems" to the 
extent that all market participants in a given industry have relatively similar 
information with which to price value-added data. The improvement over such 
systems, however, addresses a core features in most data-added value markets: 
predictions, forecasts, and speculation over the value of information is largely an 

30 unsuccessful activity for buyers and sellers alike. The additional improvement is the 
ability to maintain security even with unsecured or legacy versions of value-added 
information available to those who seek choices that fit less quantitative criteria — 
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"aesthetic quality" of the information versus "commercial price". Purchase or 
transaction decisions can be made first by authenticating an electronic version of a 
song, image, video, trademark, stamp, currency, etc. 

Additional anticipated improvements include the ability to support varying 
5 pricing models such as auctions that are difficult or impossible to accomplish under 
existing prior art that leaves all access and pricing control with the seller alone, and 
the separation of the transaction from the exchange of the value-added information, 
which gives more control to buyers over their identities and purchasing habits, (both 
sensitive and separately distinct forms of "unrelated" value-added information). 

10 Essentially, no system known in the art allows for realistic protocols to establish 
trust between buyers and sellers in a manner more closely reflecting actual 
purchasing behavior of consumers and changing selling behavior of sellers. The 
goal in such transactions is the creation of trust between parties as well as "trusted 
relationships" with those parties. The present invention is an example of one such 

15 system for media content where the "aesthetic" or "gestalt" of the underlying 
content and its characteristics is a component of buying habits. Without an ability to 
open distribution systems to varying buyers and sellers, media content may be priced 
at less than maximum economic value and buyers may be deprived of a competitive, 
vigorous marketplace for exciting media content from many different creative 

20 participants. 

To the extent that recognition plays such a key role in an information 
economy, value-added data should be as accessible as possible to the highest number 
of market participants in the interests of furthering creativity and building a 
competitive marketplace for related goods and services. This is to the benefit of 

25 both buyers and sellers as well as the other participants in such an economic 
ecosystem. The Internet and other transmission-based transactions with unknown 
parties presents a number of challenges to information vendors who wish to develop 
customer relations, trust and profitable sales. The information economy is largely an 
anonymous marketplace, thus, making it much more difficult to identify consumers 

30 and sellers. The present invention provides remedies to help overcome these 
weaknesses. 
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The present invention is concerned with methods and systems which enable 
secure, paid exchange of value-added information, while separating transaction 
protocols. The present invention improves on existing means for distribution control 
by relying on authentication, verification and authorization that may be flexibly 
5 determined by both buyers and sellers. These determinations may not need to be 
predetermined, although pricing matrix and variable access to the information opens 
additional advantages over the prior art. The present invention offers methods and 
protocols for ensuring value-added information distribution can be used to facilitate 
trust in a large or relatively anonymous marketplace (such as the Internet's World 
10 Wide Web). 

We now define components of the preferred embodiments for methods, 
systems, and devices. 
Definitions: 

Local Content Server (LCS): A device or software application which can 
1 5 securely store a collection of value-added digital content. The LCS has a unique ID. 

Secure Electronic Content Distributor (SECD): An entity, device or software 
application which can validate a transaction with a LCS, process a payment, and 
deliver digital content securely to a LCS. In cryptographic terms, the SECD acts as 
a "certification authority" or its equivalent. SECDs may have differing 
20 arrangements with consumers and providers of value-added information. (The term 
"content" is used to refer generally to digital data, and may comprise video, audio, 
or any other data that is stored in a digital format). 

Satellite Unit (SU): A portable medium or device which can accept secure 
digital content from a LCS through a physical, local connection and which can either 
25 play or make playable the digital content. The SU may have other functionality as it 
relates to manipulating the content, such as recording. The SU has a unique ID. An 
SU may be a CD player, a video camera, a backup drive, or other electronic device - 
which has a storage unit for digital data. 

LCS Domain: A secure medium or area where digital content can be stored, 
30 with an accompanying rule system for transfer of digital content in and out of the 
LCS Domain. The domain may be a single device or multiple devices — all of which 
have some common ownership or control. Preferably, a LCS domain is linked to a 
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single purchasing account. Inside the domain, one can enjoy music or other digital 
data without substantial limitations — as typically a license extends to all personal 
use. 

SecureChannel™: A secure channel to pass individualized content to 
5 differentiate authentic content from legacy or unauthorized, pirated content. For 
example, the Secure Channel may be used as an auxiliary channel through which 
members of the production and distribution chain may communicate directly with 
individual consumers. Preferably, the Secure Channel is never exposed and can 
only be accessed through legitimate methods. SecureChannel may carry a value- 

10 adding component ( VAC). The ability to provide consumers with value adding 
features will serve to give consumers an incentive to purchase new, secure hardware 
and software that can provide the additional enhanced services. The SecureChannel 
may also include protected associated data — data which is associated with a user 
and/or a particular set of content. 

15 Standard Quality: A transfer path into the LCS Domain which maintains the 

digital content at a predetermined reference level or degrades the content if it is at a 
higher quality level. In an audio implementation, this might be defined as Red Book 
CD Quality (44100 Hz., 16 bits, 2 channels). This transfer path can alternately be 
defined in terms of a subset of VAC's or a quality level associated with particular 

20 VAC's. If a VAC is not in the subset, it is not passed. If a VAC is above the defined 
quality level, it is degraded. 

Low Quality: A transfer path into the LCS Domain which degrades the 
digital content to a sub-reference level. In an audio implementation, this might be 
defined as below CD Quality (for instance, 32000 Hz., 16 bits, 2 channels). This 

25 transfer path can alternately be defined in terms of an absence of VAC's or a 
degraded quality level associated with particular VAC's. 

High Quality: A transfer path into the LCS Domain which allows digital 
content of any quality level to pass unaltered. This transfer path can alternately be 
defined in terms of a complete set of VAC's or the highest quality level available 

30 associated with particular VAC's. 

Rewritable Media: An mass storage device which can be rewritten (e.g. hard 
drive, CD-RW, Zip cartridge, M-0 drive, etc. . .). 
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Read-Only Media: A mass storage device which can only be written once 
(e.g. CD-ROM, CD-R, DVD, DVD-R, etc...)- Note: pre-recorded music, video, 
software, or images, etc. are all "read only" media. 

Unique ID: A Unique ID is created for a particular transaction and is unique 
5 to that transaction (roughly analogous to a human fingerprint). One way to generate 
a Unique ID is with a one-way hash function. Another way is by incorporating the 
hash result with a message into a signing algorithm will create a signature scheme. 
For example, the hash result may be concatenated to the digitized, value added 
information which is the subject of a transaction. Additional uniqueness may be 

10 observed in a hardware device so as to differentiate that device, which may be used 
in a plurality of transactions, from other similar devices. 

Value-added: Value-added information is differentiated from non- 
commoditized information in terms of its marketability or demand, which can vary, 
obviously, from each market that is created for the information. By way of example, 

15 information in the abstract has no value until a market is created for the information 
(i.e., the information becomes a commodity). The same information can be 
packaged in many different forms, each of which may have different values. 
Because information is easily digitized, one way to package the "same" information 
differently is by different levels of fidelity and discreteness. Value is typically 

20 bounded by context and consideration. 

Authentication: A receiver of a "message" (embedded or otherwise within 
the value-added information) should be able to ascertain the original of the message 
(or by effects, the origin of the carrier within which the message is stored). An 
intruder should not be able to successfully represent someone else. Additional 

25 functionality such as Message Authentication Codes (MAC) could be incorporated 
(a one-way hash function with a secret key) to ensure limited verification or 
subsequent processing of value-added data. 

Verification: In cryptographic terms, "verification" serves the "integrity" 
function to prevent an intruder from substituting false messages for legitimate ones. 

30 In this sense, the receiver of the message (embedded or otherwise present within the 
value-added information) should be assured that the message was not modified or 
altered in transit. 
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One-way hash function: One-way hash functions are known in the art. A 
hash function is a function which converts an input into an output, which is usually a 
fixed-sized output. For example, a simple hash function may be a function which 
accepts a digital stream of bytes and returns a byte consisting of the XOR function 
5 of all of the bytes in the digital stream of input data Roughly speaking, the hash 
function may be used to generate a "fingerprint" for the input data. The hash 
function need not be chosen based on the characteristics of the input. Moreover, the 
output produced by the hash function (i.e., the "hash") need not be secret, because in 
most instances it is not computationally feasible to reconstruct the input which 

10 yielded the hash. This is especially true for a "one-way" hash function-one that can 
be used to generate a hash value for a given input string, but which hash cannot be 
used (at least, not without great effort) to create an input string that could generate 
the same hash value. 

Authorization: A term which is used broadly to cover the acts of conveying 

1 5 official sanction, permitting access or granting legal power to an entity. 

Encryption: For non digitally-sampled data, encryption is data scrambling 
using keys. For value-added or information rich data with content characteristics, 
encryption is typically slow or inefficient because content file sizes tend to be 
generally large. Encrypted data is called "ciphertext" 

20 Scrambling: For digitally-sampled data, scrambling refers to manipulations 

of the value-added or information rich data at the inherent granularity of the file 
format. The manipulations are associated with a key, which may be made 
cryptographically secure or broken into key pairs. Scrambling is efficient for larger 
media files and can be used to provide content in less than commercially viable or 

25 referenced quality levels. Scrambling is not as secure as encryption for these 
applications, but provides more fitting manipulation of media rich content in the 
context of secured distribution. Scrambled data is also called "ciphertext" for the 
purposes of this invention. Encryption generally acts on the data as a whole, 
whereas scrambling is applied often to a particular subset of the data concerned with 

30 the granularity of the data, for instance the file formatting. The result is that a 
smaller amount of data is "encoded" or "processed" versus strict encryption, where 
all of the data is "encoded" or "processed." By way of example, a cable TV signal 
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can be scrambled by altering the signal which provides for horizontal and vertical 
tracking, which would alter only a subset of the data, but not all of the data— which 
is why the audio signal is often untouched. Encryption, however, would generally 
so alter the data that no recognizable signal would be perceptually appreciated. 
5 Further, the scrambled data can be compared with the unscrambled data to yield the 
scrambling key. The difference with encryption is that the ciphertext is not 
completely random, that is, the scrambled data is still perceptible albeit in a lessened 
quality. Unlike watermarking, which maps a change to the data set, scrambling is a 
transfer function which does not alter or modify the data set. 

10 Detailed Discussion of Invention 

The LCS Domain is a logical area inside which a set of rules governing 
content use can be strictly enforced. The exact rules can vary between 
implementations, but in general, unrestricted access to the content inside the LCS 
Domain is disallowed. The LCS Domain has a set of paths which allow content to 

15 enter the domain under different circumstances. The LCS Domain also has paths 
which allow the content to exit the domain. 

A simple example provides insight into the scope of an LCS domain. If an 
LCS is assigned to an individual, then all music, video, and other content data which 
has lawfully issued to the individual may be freely used on that persons LCS domain 

20 (though perhaps "freely" is misleading, as in theory, the individual has purchased a 
license). A LCS Domain may comprise multiple SUs, for example, a video player, a 
CD player, etc. An individual may be authorized to take a copy of a song and play it 
in another's car stereo, but only while the individual's device or media is present. 
Once the device is removed, the friend's LCS will no longer have a copy of the 

25 music to play. 

The act of entering the LCS Domain includes a verification of the content (an 
authentication check). Depending upon the source of the content, such verification 
may be easier or harder. Unvalidateable content will be subjected to a quality 
degradation. Content that can be validated but which belongs to a different LCS 

30 Domain will be excluded. The primary purpose of the validation is to prevent 
unauthorized, high-quality, sharing of content between domains. 
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When content leaves the LCS Domain, the exiting content is embedded with 
information to uniquely identify the exiting content as belonging to the domain from 
which the content is leaving. It is allowed to leave at the quality level at which the 
content was originally stored in the LCS Domain (i.e. the quality level determined 
5 by the validation path). For example, the exiting content may include an embedded 
digital watermark and an attached hash or digital signature; the exiting content may 
also include a time stamp— which itself may be embedded or merely attached). 
Once it has exited, the content cannot return to the domain unless both the 
watermark and hash can be verified as belonging to this domain. The presence of 
10 one or the other may be sufficient to allow re-entry, or security can be set to require 
the presence of more than one identification signal. 

This system is designed to allow a certifiable level of security for high- 
quality content while allowing a device to also be usable with unsecured content at a 
degraded quality level. The security measures are designed such that a removal of 

15 the watermark constitutes only a partial failure of the system. The altered content 
(i.e., the content from which the watermark has been removed or the content in 
which the watermark has been degraded) will be allowed back into the LCS 
Domain, but only at a degraded quality level, a result of the watermark destruction 
and subsequent obscurity to the system, consumers will not be affected to the extent 

20 that the unauthorized content has only been degraded, but access has not been 
denied to the content. Only a complete forgery of a cryptographically-secure 
watermark will constitute a complete failure of the system. For a discussion on such 
implementations please see US Pat. No. 5,613,004, US Pat No. 5,687,236, US Pat. 
No. 5,745,569, US Pat. No. 5,822,432, US Pat. No. 5,889,868, US Pat. No. 

25 5,905,800, included by reference in their entirety and pending U.S. patent 
applications with Serial No. 09/046,627 "Method for Combining Transfer 
Function...", Serial No. 09/053,628 "Multiple Transform Utilization and 
Application for Secure Digital Watermarking", Serial No. 08/775,216 
"Steganographic Method and Device", Serial No. 08/772,222 "Z-Transform 

30 Implementation Serial No. 60/125990 "Utilizing Data Reduction in 

Steganographic and Cryptographic Systems". 
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Provable security protocols can minimize this risk. Thus the embedding 
system used to place the watermark does not need to be optimized for robustness, 
only for imperceptibility (important to publishers and consumers alike) and security 
(more important to publishers than to consumers). Ideally, as previously disclosed, 
5 security should not obscure the content, or prevent market participants from 
accessing information, which in the long term, should help develop trust or create 
relationships. 

The system can flexibly support one or more "robust" watermarks as a 
method for screening content to speed processing. Final validation, however, relies 

10 upon the fragile, secure watermark and its hash or digital signature (a secure time 
stamp may also be incorporated). Fragile watermarks, meaning that signal 
manipulations would affect the watermark, may be included as a means to affect the 
quality of the content or any additional attributes intended to be delivered to the 
consumer. 

15 LCS Functions 

The LCS provides storage for content, authentication of content, enforcement 
of export rules, and watermarking and hashing of exported content. Stored content 
may be on an accessible rewritable medium, but it must be stored as ciphertext 
(encrypted or scrambled), not plain text, to prevent system-level extraction of the 

20 content. This is in contrast to the prior art which affix or otherwise attach meta-data 
to the content for access control by the variously proposed systems. 

Typically, an LCS receives secured data from one or more SECDs. The 
SECD transfers content only after it has been secured. For example, the SECD may 
use an individualized cryptographic container to protect music content while in 

25 transit. Such a container may use public/private key cryptography, ciphering and/or 
compression, if desired. 

The LCS may be able to receive content from a SECD, and must be able to 
authenticate content received via any of the plurality of implemented paths. The 
LCS must monitor and enforce any rules that accompany received content, such as 

30 number of available copies. Finally, it is preferred for the LCS to watermark all 
exported material (with the exception of Path 6 - see below) and supply a hash made 
from the unique ID of the LCS and the content characteristics (so as to be 
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maintained perceptually within the information and increase the level of security of 
the watermark). 
SU Functions 

The SU enables the content to be usable away from the LCS. The SU is 
5 partially within the LCS Domain. A protocol must exist for the SU and LCS to 
authenticate any connection made between them. This connection can have various 
levels of confidence set by the level of security between the SU and LCS and 
determinable by a certification authority or its equivalent, an authorized site for the 
content, for example. The transfer of content from the SU to the LCS without 
10 watermarking is allowed. However, all content leaving the SU must be 
watermarked. Preferably, the SU watermark contains a hash generated from the 
SU's Unique ID and the content characteristics of the content being transferred. If 
the content came from a LCS, the SU watermark must also be generated based, in 
part, upon the hash received from the LCS. The LCS and SU watermarking 
15 procedures do not need to be the same. However, the LCS must be able to read the 
SU watermarks for all different types of SU's with which it can connect. The SU 
does not need to be able to read any LCS watermarks. Each LCS and SU must have 
separate Unique IDs. 
Sample Embodiment 
20 BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present invention, the objects and 
advantages thereof, reference is now made to the following descriptions taken in 
connection with the accompanying drawings in which: 

FIG. 1 shows in block diagram form a system for one embodiment of an 
25 LCS, showing the possible paths for content to enter and exit the system. 

FIG. 2 is flow diagram illustrating the functions performed by the LCS of 
FIG. 1 when content enters the LCS Domain from the rewritable media. 

FIG. 3 is flow diagram illustrating the functions performed by the LCS of 
FIG. 1 when content enters the LCS Domain from the read-only media. 
30 FIG. 4 is flow diagram illustrating the functions performed by the LCS of 

FIG. 1 when content enters the LCS Domain from the satellite unit. 
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FIG. 5 is flow diagram illustrating the functions performed by the LCS of 
FIG. 1 when content leaves the LCS Domain. 

FIG. 6 is flow diagram illustrating the functions performed by the LCS of 
FIG. 1 when content leaves the LCS Domain from the read-only media. 
5 FIG. 7 is flow diagram illustrating the functions performed by the LCS of 

FIG. 1 when content leaves the SU to a receiver other than the LCS. 
DETAILED DESCRIPTION OF THE INVENTION 

The preferred embodiment of the present invention and its advantages are 
best understood by referring to FIGs. 1 through 7 of the drawings, like numerals 
1 0 being used for like and corresponding parts of the various drawings. 

FIG. 1 is a block diagram showing the components of a sample LCS system 
and showing the possible paths for content to enter and leave the LCS. In the 
embodiment of Figure 1, the LCS is a general purpose computing device such as a 
PC with software loaded to emulate the functions of a LCS. The LCS of Figure 1 
15 has a Rewritable media (such as a hard drive), a Read-Only media (such as a CD- 
ROM drive), and software to control access (which software, in effect, defines the 
"LCS Domain"). The Secure Electronic Content Distributor (SECD) is connected 
via a network (such as the Internet, intranet, cable, satellite link, cellular 
communications network, or other commonly accepted network). The Satellite 
20 Unite (SU) is a portable player which connects to the LCS and/or to other players 
where applicable (for example by way of a serial interface, USB, IEEE 1394, 
infrared, or other commonly used interface protocol). FIG. 1 also identifies seven 
(7) path ways. 

Path 1 depicts a secure distribution of digital content from a SECD to a LCS. 

25 The content can be secured during the transmission using one or more 'security 
protocols' (e.g., encryption or scrambling). Moreover, a single LCS may have the 
capability to receive content transmissions from multiple SECDs, and each SECD 
may use the same security protocols or different security protocols. In the context of 
FIG. 1, however, only a single SECD is displayed. It is also contemplated that the 

30 same SECD may periodically or randomly use different security protocols. A 
typical security protocol uses an asymmetric cryptographic system, an example 
being a public key cryptography system where private and public key pairs allow the 
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LCS to authenticate and accept the received content. Another security protocol may 
involve the ability to authenticate the received content using a signature scheme. 

In FIG. 2, content enters the LCS Domain from the rewritable media (such as 
a hard drive). This communication path is identified as Path 2 on FIG. 1 . The LCS 
5 Domain analyzes the content to determine if a watermark is present in the content. 
If no watermark is present, then the quality of the content is downgraded to Low 
Quality before it is stored in the LCS Storage. If a watermark is present, then the 
watermark is extracted and compared with the watermark of the LCS in order to 
determine if a match exists. In the event of a match, the content is permitted to be 

10 stored on the LCS Storage at the same level of quality which the content entered the 
LCS Domain. Optionally, if a watermark is present, the hash may be checked as 
further verification; and if the hash matches, the content is allowed in at High 
Quality. If it does not match, the content is rejected. If the extracted watermark 
does not match the expected watermark, then the content is denied access to the LCS 

1 5 Storage (i.e., the content is rejected). 

In FIG. 3, content enters the LCS Domain from the Read-Only media. This 
communication path is identified as Path 3 on FIG. 1 . The LCS Domain analyzes 
the content to determine if a watermark is present in the content. If no watermark is 
present, then the LCS attempts to further analyze the content using other methods 

20 (i.e., other than watermarking) to try and verify the content for originality. If the 
content cannot be verified or is deemed to have been altered, then the content is 
downgraded to Standard Quality (or even Low Quality) before it is stored in the 
LCS Storage. If a watermark is present, then the watermark is extracted and 
compared with the watermark of the LCS in order to determine if a match exists. In 

25 the event of a match, or in the event that the content is verified by means other than 
the watermark, the content is permitted to be stored on the LCS Storage at the same 
level of quality which the content entered the LCS Domain (which is likely to be 
High Quality). For example, the Read-Only media may also contain an media-based 
identifier which verifies the content as an original, as opposed to a copy — and hence, 

30 a non-watermark method may be used to verify authenticity. 

Optionally, even in the event of a watermark match, a hash may be checked 
as further verification; and if the hash matches, the content is allowed in at High 
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Quality, but if there is no match, the content is rejected. If the extracted watermark 
does not match the expected watermark, or if the LCS is unable to identify any other 
method for verifying the content's authenticity, then the content may be denied 
access to the LCS Storage (i.e., the content may be rejected), or if preferred by the 
5 user, the content may be permitted into the system at a degraded quality level. It is 
the user's prerogative to decide how the system will treat non-authenticated content, 
as well as legacy content. 

In FIG. 4, content enters the LCS Domain from the satellite unit. This 
communication path is identified as Path 4 on FIG. 1. Content from an SU is 

10 marked with an SU watermark before exiting the SU. The LCS analyzes the content 
from the SU for watermarks, and in particular to determine if there is a watermark 
that matches that of the LCS. If the watermarks match, the content is permitted 
access to the LCS at the highest quality level. If there is a mismatch, then the 
content is denied access (i.e., the content is rejected). If the content does not contain 

1 5 a watermark, the quality is downgraded to Low Quality before permitting access to 
the LCS. Optionally, even in the event of a watermark match, a hash may be 
checked as further verification; and access at the highest quality level may depend 
upon both a match in watermarks and a match in hashes. 

In FIG. 5, content is shown leaving the LCS Domain. This communication 

20 path is identified as Path 5 on FIG. 1 . Content is retrieved from the LCS storage and 
then the content may be watermarked with a watermark that is unique to the LCS 
(for example, one that is based upon the LCS's Unique ID). Optionally, a hash may 
be attached to the watermarked content, and/or the hash may be embedded as part of 
the watermark. If an external hash is used, preferably, for security purposes, the 

25 external hash should be created in a different manner from the embedded, watermark 
hash. Optionally, other information may be included in the watermark, for example, 
information to specify a time stamp, the number of allowable copies, etc. After 
watermarking, the content may be permitted to exit the LCS Domain, and may be 
exported to a device outside the LCS Domain, including for example, a rewritable 

30 media; a viewer, player, or other receiver. 

In FIG. 6, content is shown leaving the LCS Domain. This communication 
path is identified as Path 6 on FIG. 1. This path is similar to Path 5, with a few 



WO 01/18628 



PCT/US00/21189 



-22- 

important differences. The output receiver is an SU, and because the receiver is an 
SU, the content may leave the LCS without being watermarked. Path 6 requires a 
secure protocol to determine that the receiver is in fact an SU. Once the path is 
verified, the content can be exported without a watermark. The LCS may optionally 
5 transmit the content together with a hash value which will be uniquely associated 
with the content. 

In FIG. 7, content is shown leaving the SU, to a receiver other than the LCS. 
This communication path is identified as Path 7 on FIG. 1 . Content is retrieved 
from the SU storage and then the content may be watermarked with a watermark 

10 that is unique to the SU (for example, one that is based upon the SU's Unique ID). 
Optionally, a hash may be attached to the watermarked content, and/or the hash may 
be embedded as part of the watermark. If an external hash is used, preferably, for 
security purposes, the external hash should be created in a different manner from the 
embedded, watermark hash. Optionally, other information may be included in the 

15 watermark, for example, information to specify a time stamp, the number of 
allowable copies, etc., and may even include the hash which the LCS attached to the 
content After watermarking, the content may be permitted to exit the SU, and may 
be exported to a device other than the LCS, including for example, a rewritable 
media, a viewer, player, or other receiver. The quality level of the content leaving 

20 the LCS is generally the same quality level as that of the content when stored 
internally to the LCS. 

The system of the present invention is utilized to complete digital data 
transactions. A typical transaction would have the following steps: 
1 .) Using an LCS, a user connects to a SECD. 

25 2.) The user reviews a collection of data sets which are available for 

license (which for purposes of this application, may be equated with a purchase). 
The user then selects a data set (e.g., a song or other content), and purchases (or 
otherwise obtains the right to receive) a copy of the data set. (The user may transmit 
purchase information, for example, credit card information, using digital security 

30 that is known in the art of electronic commerce.) 

3.) The SECD transmits the secured content to the LCS. Before 
transmitting any digital content, the SECD embeds at least one watermark and may 
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also transmit (perhaps through cryptography) at least one hash value along with the 
data being transmitted. The at least one hash value may be embedded with the at 
least one watermark or may be attached to the beginning or end of the data being 
transmitted. Alternately, the hash output may be combined in ways that are known 
5 in the art. 

4. ) The LCS optionally may send its public key to the SECD, in which 
case the SECD may use the LCS public key to apply an additional security measure 
to the data to be transmitted, before the data is actually transmitted to the LCS. 

5. ) The LCS receives the secured content transmitted by the SECD. The 
10 LCS may optionally use its private key to remove the additional layer of security 

which was applied with the LCS's public key. 

6. ) The LCS may authenticate the secure content that was received from 
the SECD by checking the watermark(s) and/or hash values. Optionally, the LCS 
may unpack the secured content from its security wrapper and/or remove any other 

15 layers of security. If the content can be authenticated, the content may be accepted 
into the LCS domain. Otherwise, it may be rejected. 
Fragile Watermark Structure 

A fragile watermark— one that is encoded in the LSB of each 16 bit 
sample — can actually hold all of the data that would typically comprise the 

20 information being transmitted in the SecureChannel™. At a typical sampling rate of 
44.1 kHz, there is 88,200 16 bit samples for each second of data in the time domain 
(44,100 x 2 stereo channels). This provides 88,200 bits per second which may be 
used for storing a fragile watermark. A typical 3 minute stereo song could therefore 
accommodate 1.89 MB of data for a fragile watermark. (The watermark is called 

25 fragile, because it is easily removed without greatly sacrificing the quality of the 
audio data.) 1.89 MB represents an immense capacity relative to the expected size 
of the typical data to be transmitted in a SecureChannel (100 - 200 K). 

Preferably, the fragile watermark is bound to a specific copy of a specific 
song, so that "information pirates" (i.e., would-be thieves) cannot detect a 

30 watermark and then copy it onto another song in an effort to feign authorization 
when none exists. A fragile watermark may also contain information which can be 
utilized by various receivers which might receive the signal being packaged. For 
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instance, a fragile watermark may contain information to optimize the playback of a 
particular song on a particular machine. A particular example could include data 
which differentiates an MP3 encoded version of a song and an AAC encoded 
version of the same song. 
5 One way to bind a fragile watermark to a specific data set is through the use 

of hash functions. An example is demonstrated by the following sequence of steps: 

1.) A digital data set (e.g., a song) is created by known means (e.g., 
sampling music at 44.1 kHz, to create a plurality of 16 bit data sets). The digital 
data set comprises a plurality of sample sets (e.g., a plurality of 16 bit data sets). 
10 2) Information relative to the digital data set (e.g., information about the 

version of the song) is transformed into digital data (which we will call the 
SecureChannel data), and the SecureChannel data is then divided into a plurality of 
SecureChannel data blocks, each of which blocks may then be separately encoded. 

3) A first block of the SecureChannel data is then is encoded into a first 
15 block of sample sets (the first block of sample sets comprising — at a minimum — a 

sufficient number of* sample sets to accommodate the size of the first block of 
Secure Channel Data), for example by overwriting the LSB of each sample in the 
first block of sample sets. 

4) A hash pool is created comprising the first block of encoded sample 

20 sets. 

5) A first hash value is then created using i) the hash pool, ii) a random 
(or pseudorandom) number seeded using a code that serves to identify the owner of 
the digital data set, and iii) the SecureChannel data; 

6) The first hash value is then encoded into a second block of sample 
25 sets, the second block of sample sets being sufficient in size to accommodate the 

size of the first hash value. 

7.) The second block of sample sets is then added to the hash pool 

8) A second block of the SecureChannel data is then is encoded into a 

third block of sample sets. 
30 9) The third block of encoded sample sets is added to the hash pool. 
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10) A second hash value is then created using i) the hash pool, ii) a 
random (or pseudorandom) number seeded using a code that serves to identify the 
owner of the digital data set, and iii) the SecureChannel data; 

1 1) The second hash value is then encoded into a fourth block of sample 

5 sets. 

Steps 7-11 are then repeated for successive blocks of SecureChannel data 
until all of the SecureChannel data is encoded. Understand that for each block of 
SecureChannel data, two blocks of content data are utilized. Moreover, for 
efficiency, one could use a predetermined subset of the samples in the hash pool, 
10 instead of the whole block. 

Each SecureChannel block may, for example, have the following structure: 

{ 

long Blockldentifier; //A code for the type of block 

long BlockLength; //The length of the block 

15 ... //Block data of a length matching BlockLength 

char IdentityHash[hashSize]; 
char InscrtionHashfhashSize] ; 

} 

In theory, each SecureChannel block may be of a different type of block (i.e., may 
20 begin with a different Blockldentifier). In operation, a software application (or even 
an ASIC) may read the Blockldentifier and determine whether it is a recognized 
block type for the particular application. If the application does not recognize the 
block type, the application may use the BlockLength to skip this block of 
SecureChannel. 

25 Certain block types will be required to be present if the SecureChannel is 

going to be accepted. These might include an identity block and a SecureChannel 
hash block. The SecureChannel data may or may not be encrypted, depending on 
whether the data is transfer-restricted (a type of value-adding component, that is, 
VAC) or simply informative. For instance, user-added SecureChannel data need not 

30 be encrypted. A Blockldentifier may also be used to indicate whether a 
SecureChannel data block is encrypted or not. 
Robust Open Watermark (ROW) 
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A Robust-Open Watermark may be used to divide content into three 
categories. (The term "open watermark" is used merely to indicate that the 
watermark relies on a secret which is shared by an entire class of devices, as 
opposed to a secure watermark — which is readable only by a single member of a 
5 class of devices.) A binary setting may be used, whereby one state (e.g., "1") may 
be used to identify secure protected content — such as content that is distributed in a 
secured manner. When the LCS detects a secured status (e.g., by determining that 
the ROW is "1"), the content must be accompanied by an authenticatable 
SecureChannel before the content is permitted to enter the LCS Domain (e.g., 

10 electronic music distribution or EMD content). The other binary state (e.g., "0") 
may be used to identify unsecured content, for example, non-legacy media that is 
distributed in a pre-packaged form (e.g. CD's). When the binary setting is "0", the 
content may or may not have a SecureChannel. Such "0 content" shall only be 
admitted from a read-only medium in its original file format (e.g., a 0 CD shall only 

15 be admitted if it is present on a Redbook CD medium). On the other hand, if the 
ROW is absent, then the LCS will understand that the content is "legacy". Legacy 
content may be admitted, or optionally, may be checked for a fragile watermark — 
and then admitted only if the fragile watermark is present. It would be possible to 
permit unfettered usage of legacy content — though again, it is the prerogative of the 

20 user who sets up the LCS. 

Robust Forensic Watermark 

Preferably, a robust forensic watermark is not accessible in any way to the 
consumer — or to "information pirates." A forensic watermark may be secured by a 
symmetric key held only by the seller. A transaction ID may be embedded at the 

25 time of purchase with a hash matching the symmetric key. The watermark is then 
embedded using a very low density insertion mask (< 10 %), making it very difficult 
to find without the symmetric key. Retrieval of such a watermark is not limited by 
real-time/low cost constraints. The recovery will typically only be attempted on 
known pirated material, or material which is suspected of piracy. A recovery time 

30 of 2 hours on a 400 MHz PC may, therefore, be reasonable. 
Sample Embodiment - Renewability 
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The system of the present invention contemplates the need for updating and 
replacing previously-embedded watermarks (which may be thought of generally as 
"renewing" a watermark). If someone is able to obtain the algorithms used to embed 
a watermark — or is otherwise able to crack the security, it would be desirable to be 
5 able to embed a new watermark using a secure algorithm. New watermarks, 
however, cannot be implemented with complete success over night, and thus, there 
inevitably will be transition periods where older SPCS are operating without 
updated software. In such a transition period, the content must continue to be 
recognizable to both the old SPCSs and the upgraded SPCSs. A solution is to 

10 embed both the original and the upgraded watermarks into content during the 
transition periods. Preferably, it is the decision of the content owner to use both 
techniques or only the upgraded technique. 

The operation of the system of the present invention is complicated, 
however, by the presence of "legacy" digital content which is already in the hands of 

15 consumer (that is, digital content that was commercially distributed before the 
advent of watermarking systems) because legacy content will continue to be present 
in the future. Moreover, pirates who distribute unauthorized content will also 
complicate matters because such unauthorized copies are likely to be distributed in 
the same formats as legacy content. As it is unlikely that such unwatermarked 

20 content can ever be completely removed, the present system must try to 
accommodate such content. 

Hardware can be configured to read old ROW content and extract the old 
ROW and insert in the content a new ROW. 
Sample Embodiment - SPCS Audio Server 

25 Tables 1, 2 and 3 depict a sample embodiment for an SPCS Audio Server, 

and in particular show how secured content packages are created as downloadable 
units (Table 1), how the LCS works on the input side for an SPCS Audio Server 
(Table 2), and how the LCS works on the output side (Table 3). 

While the invention has been particularly shown and described by the 

30 foregoing detailed description, it will be understood by those skilled in the art that 
various other changes in form and detail may be made without departing from the 
spirit and scope of the invention. 



WO 01/18628 



PCT/US00/21189 



28 



Table 1 
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Table 2 
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Table 3 

SPCS Audio Player Output Stage 
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Claims: 

1 A local content server system (LCS) for creating a secure environment for 
digital content, comprising: 
5 a) a communications port in communication for connecting the system 

via a network to at least one Secure Electronic Content Distributor (SECD), said 
SECD capable of storing a plurality of data sets, capable of receiving a request to 
transfer at least one content data set, and capable of transmitting the at least one 
content data set in a secured transmission; 
10 b) a rewritable storage medium whereby content received from outside 

the LCS may be stored and retrieved; 

c) a domain processor that imposes rules and procedures for content 
being transferred between the LCS and devices outside the LCS; and 

d) a programmable address module which can be programmed with an 
1 5 identification code uniquely associated with the LCS; and 

said domain processor permitting the LCS to receive digital content from 

outside the LCS provided the LCS first determines that the digital content being 

delivered to the LCS is authorized for use by the LCS. 

2. The LCS of claim 1 further comprising 
20 e) an interface to permit the LCS to communicate with one or more 

Satellite Units (SU) which may be connected to the system through the interface, 

said SUs capable of receiving and transmitting digital content; 

and wherein said domain processor permits the LCS to receive digital 

content from an SECD that is connected to the LCS's communication port, provided 
25 the LCS first determines that digital content being received is authorized for use by 

the LCS, 

and wherein said domain processor permits the LCS to deliver digital 
content to an SU that may be connected to the LCS's interface, provided the LCS 
first determines that digital content being received is authorized for use by the SU. 
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3. A local content server system (LCS) for creating a secure environment for 
digital content, comprising: 

a) a communications port in communication for connecting the system 
via a network to at least one Secure Electronic Content Distributor (SECD), said 

5 SECD capable of storing a plurality of data sets, capable of receiving a request to 
transfer at least one content data set, and capable of transmitting the at least one 
content data set in a secured transmission; 

b) an interface to permit the LCS to communicate with one or more 
Satellite Units (SU) which may be connected to the system through the interface, 

10 said SUs capable of receiving and transmitting digital content; and 

c) a rewritable storage medium whereby content received from an 
SECD and from an SU may be stored and retrieved; 

d) a domain processor that imposes rules and procedures for content 
being transferred between the LCS and the SECD and between the LCS and the SU; 

15 and 

e) a programmable address module which can be programmed with an 
identification code uniquely associated with the LCS; 

said domain processor permitting the LCS to deliver digital content to and 
receive digital content from an SU that is connected to the LCS's interface, provided 
20 the LCS first determines that the digital content being delivered to the SU is 
authorized for use by the SU or that the digital content being received is authorized 
for use by the LCS, 

and said domain processor permitting the LCS to receive digital content from 
an SECD that is connected to the LCS's communication port, provided the LCS first 
25 determines that digital content being received is authorized for use by the LCS. 

4. The system of claim 3, wherein said domain processor determines whether 
digital content is authorized for use by extracting a watermark from the digital 
content being transferred. 

5. The system of claim 3, wherein said domain processor comprises: 

30 means for obtaining an identification code from an SU connected to the 

LCS's interface; 
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an analyzer to analyze the identification code from the SU to determine if the 
SU is an authorized device for communicating with the LCS; 

means for analyzing digital content received from an SU; 

said system permitting the digital content to be stored in the LCS if i) an 
5 analysis of the digital content received from the SU concludes that the content is 
authenticated, or ii) an analysis of the digital content received from the SU 
concludes that the content cannot be authenticated because no authentication data is 
embedded in the content, and 

said system preventing the digital content from being stored on the LCS if i) 
10 an analysis of the digital content received from the SU concludes that the content is 
unauthenticated. 

6. The system of claim 4, wherein said analyzer of the domain processor 
comprises means for extracting digital watermarks from the digital content received 
from an SU, and means for analyzing the digital watermark to determine if the 

1 5 digital content has been previously marked with the unique identification code of the 
LCS. 

7. The system of claim 4, wherein said system permits the digital content to be 
stored in the LCS at a degraded quality level if an analysis of the digital content 
received from the SU concludes that the digital content received from the SU cannot 

20 be authenticated because there is no authentication data embedded in the content. 

8. The system of claim 4, further comprising at least one SU, each such SU 
being capable of communicating with the LCS. 

9. The system of claim 8, wherein the SU has means to sending a message to 
the LCS indicating that the SU is requesting a copy of a content data set that is 

25 stored on the LCS, said message including information about the identity of the SU, 
and wherein the LCS comprises: 

means to analyze the message from the SU to confirm that the SU is 
authorized to use the LCS; 

means to retrieve a copy of the requested content data set; 
30 . means to embed at least one robust open watermark into the copy of the 

requested content data set, said watermark indicating that the copy is authenticated; 
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means to embed a second watermark into the copy of the requested content 
data set, said second watermark being created based upon information transmitted 
by the SU and information about the LCS; and 

means to deliver the watermarked content data set to the SU for its use. 
5 10. The system of claim 8, further comprising a SECD, said SECD capable of 
receiving a request to transfer at least one data set and capable of transmitting the at 
least one data set in a secured transmission. 
1 1 . The system of claim 1 0, 

wherein the SU includes means to send a message to the LCS indicating that 
10 the SU is requesting a copy of a content data set that is not stored on the LCS, but 
which the LCS can obtain from an SECD, said message including information about 
the identity of the SU; 

wherein the SECD comprises: 

means to retrieve a copy of the requested content data set; 
15 means to embed at least one robust open watermark into the copy of 

the requested content data set, said watermark indicating that the copy is 
authenticated; 

means to embed a second watermark into the copy of the requested 
content data set, said second watermark being created based upon information 
20 transmitted by the LCS; and 

means to deliver the watermarked content data set to the LCS for its 

use; and 

wherein the LCS comprises: 

means to analyze the message from the SU to confirm that the SU is 
25 authorized to use the LCS; 

means to receive a copy of the requested content data set as 
transmitted by the SECD; 

means to extract at least one watermark to confirm that the content 
data is authorized for use by the LCS; 
30 means to embed at least one robust open watermark into the copy of 

the requested content data set, said watermark indicating that the copy is 
authenticated; 
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means to embed a second watermark into the copy of the requested 
content data set, said second watermark being created based upon information 
transmitted by the SU and information about the LCS; and 

means to deliver the watermarked content data set to the SU for its 

5 use. 

12. The system of claim 8, wherein the SU has means to sending a message to 
the LCS indicating that the SU is requesting to store a copy of a content data set on a 
storage unit of the LCS, said message including information about the identity of the 
SU, and wherein the LCS comprises: 

10 means to analyze the message from the SU to confirm that the SU is 

authorized to use the LCS; 

means receive a copy of the content data set; 

means to determine if a robust open watermark is embedded in the content 
data set, and to extract the robust open watermark if is it is determined that one 
15 exists; 

means to analyze any extracted robust open watermarks to determine if the 
content data set can be authenticated; 

means to permit the storage of the content data set on a storage unit of the 
LCS if i) the LCS authenticates the content data set, or ii) the LCS determines that 
20 no robust open watermark is embedded in the content signal. 

13. The system of claim 4, further comprising at least one SU, each such SU 
being capable of communicating with the LCS, and being capable of using only data 
which has been authorized for use by the SU or which has been determined to be 
legacy content such the data contains no additional information to permit 

25 authentication. 

14. The system of claim 5, wherein the LCS further comprises: 

means to embed at least one robust open watermark into a copy of content 
data, said watermark indicating that the copy is authenticated; 

means to embed a second watermark into the copy of content data, said 
30 second watermark being created based upon information comprising information 
uniquely associated with the LCS; and 
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means to embed a third watermark into the copy of content data, said third 
watermark being a fragile watermark created based upon information which can 
enhance the use of the content data on one or more SUs. 

15. The system of claim 5, wherein the LCS further comprises: 

5 means for encrypting or scrambling content data, such that content data may 

be encrypted or scrambled before it is stored in the rewritable storage medium, 

16. A system for creating a secure environment for digital content, comprising: 
a Secure Electronic Content Distributor (SECD); 

a Local Content Server (LCS); 
1 0 a communications network interconnecting the SECD to the LCS; and 

a Satellite Unit (SU) capable of interfacing with the LCS; 

said SECD comprising: a storage device for storing a plurality of data sets; 
an input for receiving a request from the LCS to purchase a selection of at least one 
of said plurality of data sets; a transaction processor for validating the request to 
15 purchase and for processing payment for the request; a security module for 
encrypting or otherwise securitizing the selected at least one data set; and an output 
for transmitting the selected at least one data set that has been encrypted or 
otherwise secured for transmission over the communications network to the LCS; 

said LCS comprising: a domain processor; a first interface for connecting to 
20 a communications network; a second interface for communicating with the SU; a 
memory device for storing a plurality of data sets; and a programmable address 
module which can be programmed with an identification code uniquely associated 
with the LCS; and 

said SU being a portable module comprising: a memory for accepting secure 
25 digital content from a LCS; an interface for communicating with the LCS; and a 
programmable address module which can be programmed with an identification 
code uniquely associated with the SU. 

17. A Method for creating a secure environment for digital content for a 
consumer, comprising the following steps: 

30 sending a message indicating that a user is requesting a copy of a content 

data set; 

retrieving a copy of the requested content data set; 
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embedding at least one robust open watermark into the copy of the requested 
content data set, said watermark indicating that the copy is authenticated; 

embedding a second watermark into the copy of the requested content data 
set, said second watermark being created based upon information transmitted by the 
5 requesting user; 

transmitting the watermarked content data set to the requesting consumer via 
an electronic network; 

receiving the transmitted watermarked content data set into a Local Content 
Server (LCS) of the user; 
10 extracting at least one watermark from the transmitted watermarked content 

data set; and 

permitting use of the content data set if the LCS determines that use is 
authorized. 

18. The Method of claim 17, wherein the step of permitting use of the content 
1 5 data set if the LCS determines that use is authorized comprises: 

checking to see if a watermark extracted from the content data set includes 
information which matches unique information which is associated with the user; 
and 

permitting the storage of the content data set in a storage unit for the LCS. 
20 1 9. The Method of claim 1 7, further comprising: 
connecting a Satellite Unit (SU) to an LCS, 
and wherein the step of permitting use of the content data set if the LCS determines 
that use is authorized comprises: 

checking to see if a watermark extracted from the content data set includes 
25 information which matches unique information which is associated with the user; 
and 

embedding a watermark into the content data set using information that is 
associated with the user and information that is associated with an SU; 

delivering the content data set to the SU for its use. 
30 20. A Method for creating a secure environment for digital content for a 
consumer, comprising the following steps: 

connecting a Satellite Unit to an local content server (LCS), 
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sending a message indicating that the SU is requesting a copy of a content 
data set that is stored on the LCS, said message including information about the 
identity of the SU; 

analyzing the message to confirm that the SU is authorized to use the LCS; 

5 and 

retrieving a copy of the requested content data set; 

assessing whether a secured connection exists between the LCS and the SU; 

if a secured connection exists, embedding a watermark into the copy of the 
requested content data set, said watermark being created based upon information 
1 0 transmitted by the SU and information about the LCS; and 

delivering the content data set to the SU for its use. 
21 . The Method of claim 20, further comprising; 

embedding an open watermark into the content data to permit enhanced 
usage of the content data by the user. 
15 22. The Method of claim 2 1 , further comprising: 

embedding at least one additional watermark into the content data, said at 
least one additional watermark being based on information about the user, the LCS 
and an origin of the content data, said watermark serving as a forensic watermark to 
permit forensic analysis to provide information on the history of the content data's 
20 use. 

23. The method of claim 20, wherein the content data can be stored at a level of 
quality which is selected by a user. 

24. A Method for creating a secure environment for digital content for a 
consumer, comprising the following steps: 

25 connecting a Satellite Unit (SU) to an local content server (LCS), 

sending a message indicating that the SU is requesting a copy of a content 
data set that is stored on the LCS, said message including information about the 
identity of the SU; 

analyzing the message to confirm that the SU is authorized to use the LCS; 

30 and 

retrieving a copy of the requested content data set; 

assessing whether a secured connection exists between the LCS and the SU; 
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if a secured connection exists, embedding a watermark into the copy of the 
requested content data set, said watermark being created based upon information 
transmitted by the SU and information about the LCS; and 

delivering the watermarked content data set to the SU for its use. 
5 25. The method of claim 24, further comprising: 

embedding at least one robust open watermark into the copy of the requested 
content data set before the requested content data is delivered to the SU, said 
watermark indicating that the copy is authenticated. 

26. The method of claim 25, wherein the robust watermark is embedded using 
1 0 any one of a plurality of embedding algorithms. 

26. The method of claim 24, further comprising: 

embedding a watermark which includes a hash value from a one-way hash 
function generated using the content data. 

27. The method of claim 25, wherein the robust watermark can be 
1 5 periodically replaced with a new robust watermark generated using a new 

algorithm with payload that is no greater than that utilized by the old robust 
watermark. 

28. The method of claim 24, further comprising the step of: 

embedding additional robust open watermarks into the copy of the requested 
20 content data set before the requested content data is delivered to the SU, using a 
new algorithm; and 

re-saving the newly watermarked copy to the LCS. 

29. The method of claim 24, further comprising the step of: 

saving a copy of the requested content data with the robust 
25 watermark to the rewritable media of the LCS. 

30. A Method for creating a secure environment for digital content for a 
consumer, comprising the following steps: 

connecting a Satellite Unit (SU) to an local content server (LCS), 
sending a message indicating that the SU is requesting to store a copy of a 
30 content data on the LCS, said message including information about the identity of 
the SU; 
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analyzing the message to confirm that the SU is authorized to use the LCS; 

and 

receiving a copy of the content data set; 
assessing whether the content data set is authenticated; 
5 if the content data is unauthenticated, denying access to the LCS storage unit; 

and 

if the content data is not capable of authentication, accepting the data at a 
predetermined quality level, said predetermined quality level having been set for 
legacy content. 
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